A company is using AWS Organizations. They want to implement a centralized logging solution where all AWS CloudTrail logs and VPC Flow Logs from 100+ member accounts are sent to a single Amazon S3 bucket in a dedicated 'Log Archive' account. The security team wants to ensure that no one, not even the administrators of the member accounts, can modify or delete the logs once they are written. Which solution is the MOST secure and scalable?

Create an Organization Trail in the management account. Configure VPC Flow Logs in member accounts to send to the central S3 bucket. Enable S3 Object Lock in compliance mode on the central bucket.

Create a Service Control Policy (SCP) that denies the 's3:DeleteObject' action and attach it to all member accounts.

Configure CloudTrail and VPC Flow Logs in each member account to write to local S3 buckets. Use S3 Cross-Region Replication to copy them to the central bucket.

Enable AWS Config in the management account to monitor the integrity of the CloudTrail logs.